[
https://issues.apache.org/jira/browse/METRON-903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991326#comment-15991326
]
ASF GitHub Bot commented on METRON-903:
---------------------------------------
Github user james-sirota commented on the issue:
https://github.com/apache/incubator-metron/pull/556
Just spun up the dashboard. The YAF portion is correct. The YAF sensor
produces flow information from A to B and you produce a table that counts and
orders them. Bro is almost correct. Bro produces HTTP and DNS metadata for
us. So you need to differentiate by protocol. In case of Bro-DNS your
dashboard should say top DNS requests. In case of Bro-HTTP your dashboard
should say top HTTP requests. Snort is an IDS that produces alerts. So your
dashboard should say top number of generated alerts.
One thing that would be useful here is to add a second dashboard for YAF
that would give me a histogram for a connection of my choice. For example,
your top connection is 192.168.66.1->192.168.66.121 | 867. If I could have a
second follow-up dashboard where i could have 4 boxes: sourceIP, destIP,
TimeBinSize, HowFarToReachBack. An example use would be that I would take the
top connection and do the following: SourceIP= 192.168.66.1,
DestIP=192.168.66.121, TimeBinSize=5 mins, HowFarToReachBack=3hours. Then it
draws a histogram of the top connection for me in 5 min increments reaching
back 3 hours.
> Create a connections report in Zeppelin
> ---------------------------------------
>
> Key: METRON-903
> URL: https://issues.apache.org/jira/browse/METRON-903
> Project: Metron
> Issue Type: New Feature
> Reporter: Justin Leet
> Assignee: Justin Leet
>
> User types in range into a search box
> System generates connections report:
> IP(A) -> IP(B) : # of times
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
